What Is Long-Term Validation and Why Is It important for Digital Signatures?

Digital signatures are designed to help guarantee the authenticity and integrity of documents – but they have technical limitations: Certificates expire, cryptographic algorithms evolve, software and protocols become outdated, and revocation lists change. Without proper preservation mechanisms, a signature that was valid today may become unverifiable tomorrow.

This is where long-term validation (LTV) comes in. LTV ensures that digital signatures remain trustworthy for years, even decades, by preserving all the data needed to confirm their validity long after the original signing event.

Digital signatures are a special type of e-signature. They rely on public key infrastructures (PKIs), which use certificates and trust chains to verify a signature’s validity.

LTV refers to the process of embedding additional validation data into a digitally signed document to ensure its authenticity remains verifiable over time. This includes timestamps, certificate status information, and archival data.

Without LTV mechanisms in place, the following factors may influence the validity of digital signatures:

• Certificate Expiration: Signing certificates have limited lifespans; when they expire, digital signatures generated using the certificate may no longer be trusted by software.
• Revocation Changes: Certificates can be revoked. Digital signatures generated before the revocation may become invalid.
• Algorithm Evolution: Cryptographic standards change, and future software may not recognize digital signatures from the previous years.

LTV helps to maintain the validity of digital signatures over time. Generating a digital signature with LTV enabled will not only help to ensure legal enforceability by reducing the risk of disputes over document authenticity, but it will also help with maintaining compliance. For example, eIDAS Qualified Electronic Signatures (QESs) in the European Union require adherence to PAdES (PDF Advanced Electronic Signatures) standards with an LTV or LTA (long-term archiving) profile.

LTV is a process; it requires the following steps:

• Embedding a timestamp: A trusted date and time reference, called a timestamp, is added to the PDF document’s metadata. In order to be trusted, this timestamp needs to be generated by a service provider that is recognized in your jurisdiction, such as a public certification authority, or a trust service provider in the European Union.
• Embedding an OCSP response or a CRL response: The validity status of the certificate used for the signature is added to the document. OCSP responders and CRL services are typically managed by the service providers that issued the digital certificates used for your signatures.

LTV plays a crucial role in the value of signed documents, so it’s important to set it up correctly. Whenever possible, you should fully automate the LTV process so that all your signatures become LTV-enabled by default.

Use well-known standards like the PAdES-LTV profiles (ETSI’s PAdES‑B‑LT and PAdES‑B‑LTA levels are specifically aligned with eIDAS requirements) and PDF/A formats to ensure maximum compatibility and interoperability.

Ideally, the steps to enable LTV should be performed at the time of the digital signature. It is however also possible to add LTV after the document is signed, but adding LTV at the time of signature offers several advantages compared to doing it later:

1. Stronger Legal Assurance: When validation data (timestamps, OCSP responses, CRLs) is captured immediately, it reflects the exact state of the trust chain at signing time. This makes it harder to dispute authenticity later.
2. Reduced Risk of Missing Data: If you wait, some validation sources (like OCSP responders or CRL servers) may no longer be available, or certificates may have been revoked. Capturing data upfront ensures completeness.
3. Compliance Readiness: Many standards (e.g., PAdES-LTV under eIDAS) expect LTV to be embedded during signing. Doing it later can create gaps that auditors or regulators flag.
4. Lower Operational Complexity: Adding LTV later often requires reprocessing documents, which can be costly and error prone. Doing it at signing integrates seamlessly into the workflow.
5. Future-proofing: Immediate LTV ensures documents remain verifiable even if cryptographic algorithms or certificate authorities change over time.

Finally, digital signing technology is an ever-evolving topic, so don’t forget to regularly watch out for ETSI updates on PAdES and any new compliance framework that may come up.

PDF readers such as Adobe Acrobat Reader can help you read digital signature data, and help you find out whether the digital signature on a PDF is LTV-enabled or not:

1. When you open a digitally signed PDF document in Adobe Acrobat Reader, a blue banner will show up at the top of the window:

   

   
    

2. Simply click on the “Signature Panel” button on the right side of the blue banner. The signature panel will display all available information about the digital signature, including whether it is LTV-enabled:

   

Entrust Signhost enables LTV by default on all signatures and seals generated, using either our web portal or our API. You can learn more about Signhost here and try it out yourself for free.